Next, I would run authenticated vulnerability scans against a representative selection of devices -- the QualysGuard appliance is excellent for this, but Nessus and other scanners provide a good alternative, providing they are configured correctly (beware of causing denial-of-service or other outages).
Lastly, I would compare system configurations with best practice, again for a representative selection of devices, using manual techniques. Best practice will depend on the systems you are using (Cisco vs. Microsoft vs. Unix, etc.). Generally, I advise people to look at the National Security Agency (NSA) and Center for Information Security (CIS) standards documents, although some of their more rigorous settings may need to be relaxed for some commercial environments.
Related Q&A from Peter Wood
When sensitive documents are frequently travelling back and forth between a company and its business partners, email security becomes very important....continue reading
In this expert response, Peter Wood outlines some alternatives to NAC systems, and explains why, sometimes, NAC systems really are the best choice.continue reading
In this expert response, Peter Wood explains the difference between database activity monitoring systems and security information and event ...continue reading